SANS ISC InfoSec Forums

HP JetDirect based printers are extremely popular in academia and elsewhere around the Internet. As such, they need to be protected from malicious use as we do with the general computers and other network devices on our networks.

Note: the concepts presented in this Tip of the Day may be used in other network printers, though I haven't messed with other varieties enough to know the details.

My first suggestion is to firewall off printers from Internet access. Force connections to the printer originate from your locally managed network, or through a VPN authenticated computer residing elsewhere.

Unfortunately in academia, we rarely know the IP address of every network printer on our network. And I would suspect that in the corporate world that this can be true without very strictly enforced policies. Even if you know every printer and its IP on your network today, tomorrow it could be different after someone brings a new super fast, color, duplexing, with mailbox output tray, hard drive, extra fonts, bluetooth, infrared, firewire, usb, network, mp3 playing, digitial media card reading, all-in-one, scanning, faxing, washing-the-dishes-in-the-kitchen-sink printer and installed it without your knowledge or approval.

Here you are left with a few choices.

Use a tool like nmap or nessus to scan for a few choice tcp or udp ports on printers and do some type of version or OS detect on the results. (Some of the ports to look for are 21, 23, 80,280,515,631 and 9100 tcp.)

ARP walk your routers/switches looking for the MAC addresses of the HP JetDirect or other printerss.

The DHCP Method.

The first 2 are time consuming and will have to be repeated often to keep track of newly discovered.

So,what is the DHCP Method?!?

HP devices with JetDirect cards have a vendor class identifier which reports to the DHCP server that they are 'Hewlett-Packard JetDirect' cards. You should be able to log this on your DHCP server and use it for custom applications. OR you can use this identifier to pad on some DHCP options which tells the printer to download a tftp file from a local tftp server which has a host.allow line to only accept connection from your institution's IP range. Since all HP printers DHCP by default(as in factory defaults) you have a catch-all mechanism in case the printer is reset to factory defaults and fail to reset the passwords or if users put new printers on the network without you noticing or approving.

Using this same method using MAC address lists you can build a set of known special printers (such as the one used by your CEO, Chancellor, President, VIP) and should only be allowed from certain computers/servers.These use separate config file with other additional options. In addition to setting authorized IPs one can also disable features such as the appletalk, and IPX protocols which are unnecessary in your environment. You can also set items like contact name, location, syslog server and the like. However you should be careful to make sure that all of the configuration features you are enabling/disabling is supported by a particular HP JetDirect model.

Last but not least, VLAN all of the printers into a printer virtual network. This may make it easier for you to do maintenance tasks on them, check versions of the JetDirect Cards and the like if they are all in one virtual area. I am sure there are other reasons that you could/should vlan them together, but I will leave that to your imagination.

If you have other HP JetDirect security resources, please share and I will update the diary later tonight/tomorrow with those links.

Update 1:

Overnight we have had a number of very useful links to add to the tip of the day. Thanks to Jerry, Charlie, Jack, Kahlib and others that shared more useful information.

It is highly recommended that users update the firmware on the specific models of Jetdirect. This will help the security posture some, and in some cases protect your nmap scan, or the newest lpr based worm causing the printer to output reams garbage.